León, December 13, 2024.- The National Cybersecurity Institute (INCIBE), an entity under the Ministry for Digital Transformation and the Public Service, through the Secretary of State for Telecommunications, Digital Infrastructures and Digital Security, has today presented an innovative report on the security of connected toys, becoming the first European body to carry out a comprehensive analysis according to the criteria of the Cyberresilience Law (CRA) of the European Union. This report is part of the actions that Spain leads to guarantee the protection of consumers and companies against the vulnerabilities of devices with digital components.
The EU Cyber Resilience Act (CRA) entered into force in December 2024 and has a three-year transition and adoption period. From there, compliance will be mandatory for manufacturers and distributors of products that are marketed in the EU. Likewise, Member States will have to carry out a level of inspection between 3% and 10% of the products on the market, depending on the risk, product criticality, category and volume on the market.
Therefore, Spain, through INCIBE, is the first European country to do this analysis, in the current voluntary phase.
The event, held at the headquarters of INCIBE in León, was attended by the Minister of Digital Transformation and Public Function, Óscar López, and the Secretary of State for Telecommunications, Digital Infrastructures and Digital Security, Antonio Hernando.
In his speech, the minister highlighted: "With this report, Spain reinforces its leadership in the implementation of the Cyber Resilience Act, not only by complying with European standards, but also by anticipating its demands. Connected toys are a sample of how technology can be an ally of leisure and learning, as long as they are used safely. This joint effort with manufacturers and consumers is essential to especially protect the most vulnerable, our children."
Key Report Results
To carry out the study, INCIBE has selected 26 smart toys, taking into account the best sellers on online platforms. These toys have the ability to handle user data: video or audio recording, bluetooth or wifi connection or mobile application for device handling.
Therefore, their vulnerabilities have been evaluated and improvement requirements have been identified for manufacturers, reinforcing key protection aspects, ensuring that the product meets the highest safety and reliability standards of the products analyzed. They have also been accompanied by recommendations to offer consumers a safe and quality user experience.
The study provides the following information and results:
Critical points identified: in some products problems have been found such as unsafe configurations by default, which can allow the unsafe transmission of sensitive data such as passwords, deficiencies in the implementation of security updates or vulnerable mobile applications, which could allow the exploitation of vulnerabilities and even the remote control of the device by attackers.
Attack vectors evaluated: 8 key areas have been evaluated, dividing toys according to their connection technologies and exposure surfaces: analysis of vulnerabilities and updating capabilities for their remedy, examination of mobile and/or desktop applications necessary for the functionality of the toy, analysis of strength against common attacks, and analysis of the security of physical and wireless connections.
Improvement proposals: suggestions for families and manufacturers to strengthen cybersecurity and digital trust, aligned with the European Cyberresilience Act (CRA).
During the presentation, a live demonstration was held to illustrate how an attacker could compromise a remote-controlled toy car and use it as a bridge to access other devices on the home network. This practical exercise highlighted the importance of strengthening protective measures in products aimed at children.
Commitment to digital security
The report is part of a broader INCIBE strategy to work closely with manufacturers and foster responsible innovation. In addition, for more information, you can access the "Guide to the safe use of Connected Toys", launched in 2018 together with the Spanish Association of Toy Manufacturers, which consolidates INCIBE as a reference in cybersecurity for minors.